7 files changed, 41 insertions, 19 deletions

diff --git a/BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py b/BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
index 9734478..88a533c 100644
--- a/BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
+++ b/BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
@@ -3,6 +3,7 @@
 # A build plugin that analyzes a CodeQL database.

 #

 # Copyright (c) Microsoft Corporation. All rights reserved.

+# Copyright (C) 2024 Advanced Micro Devices, Inc. All rights reserved.

 # SPDX-License-Identifier: BSD-2-Clause-Patent

 ##

 

@@ -78,6 +79,11 @@ class CodeQlAnalyzePlugin(IUefiBuildPlugin):
         # Packages are allowed to specify package-specific query specifiers

         # in the package CI YAML file that override the global query specifier.

         audit_only = False

+        global_audit_only = builder.env.GetValue("STUART_CODEQL_AUDIT_ONLY")

+        if global_audit_only:

+            if global_audit_only.strip().lower() == "true":

+                audit_only = True

+

         query_specifiers = None

         package_config_file = Path(os.path.join(

                                 self.package_path, self.package + ".ci.yaml"))

@@ -94,11 +100,6 @@ class CodeQlAnalyzePlugin(IUefiBuildPlugin):
                                       f"{str(package_config_file)}")

                         query_specifiers = plugin_data["QuerySpecifiers"]

 

-        global_audit_only = builder.env.GetValue("STUART_CODEQL_AUDIT_ONLY")

-        if global_audit_only:

-            if global_audit_only.strip().lower() == "true":

-                audit_only = True

-

         if audit_only:

             logging.info(f"CodeQL Analyze plugin is in audit only mode for "

                          f"{self.package} ({self.target}).")

diff --git a/BaseTools/Plugin/CodeQL/CodeQlQueries.qls b/BaseTools/Plugin/CodeQL/CodeQlQueries.qls
index 34fa6b3..0da9baf 100644
--- a/BaseTools/Plugin/CodeQL/CodeQlQueries.qls
+++ b/BaseTools/Plugin/CodeQL/CodeQlQueries.qls
@@ -2,7 +2,7 @@
 - description: C++ queries

 

 - queries: '.'

-  from: codeql/cpp-queries

+  from: codeql/cpp-queries@1.1.0

 

 ##########################################################################################

 # Queries

diff --git a/BaseTools/Plugin/CodeQL/analyze/analyze_filter.py b/BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
index f363dd3..dd9f149 100644
--- a/BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
+++ b/BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
@@ -60,15 +60,15 @@ def _match_path_and_rule(
     return result

 

 

-def _parse_pattern(line: str) -> Tuple[str]:

+def _parse_pattern(line: str) -> Tuple[bool, str, str]:

     """Parses a given pattern line.

 

     Args:

         line (str): The line string that contains the rule.

 

     Returns:

-        Tuple[str]: The parsed sign, file pattern, and rule pattern from the

-                    line.

+        Tuple[bool, str, str]: The parsed sign, file pattern,

+                               and rule pattern from the line.

     """

     sep_char = ':'

     esc_char = '\\'

diff --git a/BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml b/BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
index dbc9c2b..3be80cb 100644
--- a/BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
+++ b/BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
@@ -8,6 +8,13 @@
 # In an environment where a platform might build in different operating systems, it is recommended to set

 # the scope for the appropriate CodeQL external dependency based on the host operating system being used.

 #

+# ****VERSION UPDATE INSTRUCTIONS****

+#

+# When updating the CodeQL CLI used here, update the corresponding codeql/cpp-queries version in CodeQlQueries.qls.

+# Visit the `qlpack.yml` in the release branch for the CodeQL CLI to get the version to use there. For example, the

+# CodeQL CLI 2.18.1 file is https://github.com/github/codeql/blob/codeql-cli-2.18.1/cpp/ql/src/qlpack.yml and the

+# pack version there is 1.1.0.

+#

 # Copyright (c) Microsoft Corporation. All rights reserved.

 # SPDX-License-Identifier: BSD-2-Clause-Patent

 ##

@@ -16,9 +23,9 @@
   "scope": "codeql-ext-dep",

   "type": "web",

   "name": "codeql_cli",

-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql.zip",

-  "version": "2.17.3",

-  "sha256": "e5ac1d87ab38e405c9af5db234a338b10dffabc98a648903f1664dd2a566dfd5",

+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.18.1/codeql.zip",

+  "version": "2.18.1",

+  "sha256": "815f71c1a46e76f9dafdec26c2a4bab7ea4019a3773e91e39253e2d21cf792a2",

   "compression_type": "zip",

   "internal_path": "/codeql/",

   "flags": ["set_shell_var", ],

diff --git a/BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml b/BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
index 536322f..e3fd40c 100644
--- a/BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
+++ b/BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
@@ -6,6 +6,13 @@
 # systems, it is recommended to set the scope for the appropriate CodeQL external dependency based on the

 # host operating system being used.

 #

+# ****VERSION UPDATE INSTRUCTIONS****

+#

+# When updating the CodeQL CLI used here, update the corresponding codeql/cpp-queries version in CodeQlQueries.qls.

+# Visit the `qlpack.yml` in the release branch for the CodeQL CLI to get the version to use there. For example, the

+# CodeQL CLI 2.18.1 file is https://github.com/github/codeql/blob/codeql-cli-2.18.1/cpp/ql/src/qlpack.yml and the

+# pack version there is 1.1.0.

+#

 # Copyright (c) Microsoft Corporation. All rights reserved.

 # SPDX-License-Identifier: BSD-2-Clause-Patent

 ##

@@ -14,9 +21,9 @@
   "scope": "codeql-linux-ext-dep",

   "type": "web",

   "name": "codeql_linux_cli",

-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql-linux64.zip",

-  "version": "2.17.3",

-  "sha256": "9fba000c4b821534d354bc16821aa066fdb1304446226ea449870e64a8ad3c7a",

+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.18.1/codeql-linux64.zip",

+  "version": "2.18.1",

+  "sha256": "1547f4a3b509474404daf2e4b821f71cd93462ec45322d9124c2b04e3d52c771",

   "compression_type": "zip",

   "internal_path": "/codeql/",

   "flags": ["set_shell_var", ],

diff --git a/BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml b/BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
index 93a81ff..5e6add8 100644
--- a/BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
+++ b/BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
@@ -6,6 +6,13 @@
 # systems, it is recommended to set the scope for the appropriate CodeQL external dependency based on the

 # host operating system being used.

 #

+# ****VERSION UPDATE INSTRUCTIONS****

+#

+# When updating the CodeQL CLI used here, update the corresponding codeql/cpp-queries version in CodeQlQueries.qls.

+# Visit the `qlpack.yml` in the release branch for the CodeQL CLI to get the version to use there. For example, the

+# CodeQL CLI 2.18.1 file is https://github.com/github/codeql/blob/codeql-cli-2.18.1/cpp/ql/src/qlpack.yml and the

+# pack version there is 1.1.0.

+#

 # Copyright (c) Microsoft Corporation. All rights reserved.

 # SPDX-License-Identifier: BSD-2-Clause-Patent

 ##

@@ -14,9 +21,9 @@
   "scope": "codeql-windows-ext-dep",

   "type": "web",

   "name": "codeql_windows_cli",

-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql-win64.zip",

-  "version": "2.17.3",

-  "sha256": "4c6fbf2ea2eaf0f47bf0347eacf54c6b9d6bdf7acb6b63e17f9e6f2dd83b34e7",

+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.18.1/codeql-win64.zip",

+  "version": "2.18.1",

+  "sha256": "eb69c9ce40142904965ca3f2491c989f12747d74358385e2e94c427b4324201c",

   "compression_type": "zip",

   "internal_path": "/codeql/",

   "flags": ["set_shell_var", ],

diff --git a/BaseTools/Plugin/CodeQL/integration/stuart_codeql.py b/BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
index a3941d1..4e1c4d1 100644
--- a/BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
+++ b/BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
@@ -29,7 +29,7 @@ def add_command_line_option(parser: ArgumentParser) -> None:
              "BaseTools/Plugin/CodeQL/Readme.md for more info.")

 

 

-def get_scopes(codeql_enabled: bool) -> Tuple[str]:

+def get_scopes(codeql_enabled: bool) -> Tuple[str, ...]:

     """Returns the active CodeQL scopes for this build.

 

     Args: